DNSSEC and end users
Good morning to all, This is your SSAC liaison speaking. I am requesting your thoughts on what expected impact DNSSEC will have on end users. My goal is to contribute ideas to the the agenda of the DNSSEC sessions at the San Francisco meeting. Currently, with DNSSEC enabled on the DNS resolver you use (typically, the one assigned to you by your ISP), a domain name failing DNSSEC resolution returns a code to your browser saying the domain does not exist. You would get a blank page displayed in your browser saying the domain is unreachable, similar to what you get when you type an invalid domain name in the browser bar. Some suggest that browsers should return a warning instead, similar to the one you get with an invalid SSL certificate. The counter-argument to this is that most users tend to ignore these warnings anyway and just click OK to go ahead. Further, some say that ISP support desks will get lots of calls from customers complaining about "the Internet is not working" if users are annoyed by pop-up messages, for what appears to be legitimate domain names. Obviously, I do not claim that the Internet is just the web. But is is right now the most visible part and the one which requires direct interaction from the user. I am interested in your thoughts about this. Patrick Vande Walle -- Blog: http://patrick.vande-walle.eu Twitter: http://twitter.vande-walle.eu
Hi Patrick, Thanks for asking. I think that ultimately the web is for the benefit of the people who use it. So is DNSSEC. I am uncomfortable with the idea of not telling people what's going on (giving them a message) because they might do the "wrong" thing. I think there has to be a very compelling reason to withhold information from users, and the "users are stupid" argument is not a good one in my opinion. I hope that helps, Antony On Feb 8, 2011, at 11:20 PM, Patrick Vande Walle wrote:
Good morning to all,
This is your SSAC liaison speaking. I am requesting your thoughts on what expected impact DNSSEC will have on end users. My goal is to contribute ideas to the the agenda of the DNSSEC sessions at the San Francisco meeting.
Currently, with DNSSEC enabled on the DNS resolver you use (typically, the one assigned to you by your ISP), a domain name failing DNSSEC resolution returns a code to your browser saying the domain does not exist. You would get a blank page displayed in your browser saying the domain is unreachable, similar to what you get when you type an invalid domain name in the browser bar.
Some suggest that browsers should return a warning instead, similar to the one you get with an invalid SSL certificate. The counter-argument to this is that most users tend to ignore these warnings anyway and just click OK to go ahead. Further, some say that ISP support desks will get lots of calls from customers complaining about "the Internet is not working" if users are annoyed by pop-up messages, for what appears to be legitimate domain names.
Obviously, I do not claim that the Internet is just the web. But is is right now the most visible part and the one which requires direct interaction from the user.
I am interested in your thoughts about this.
Patrick Vande Walle
-- Blog: http://patrick.vande-walle.eu Twitter: http://twitter.vande-walle.eu
_______________________________________________ At-Large mailing list At-Large@atlarge-lists.icann.org https://atlarge-lists.icann.org/mailman/listinfo/at-large
At-Large Official Site: http://atlarge.icann.org
+1. Some simple explanatory text is best, not a blank page. Carlton ============================== Carlton A Samuels Mobile: 876-818-1799 Strategy, Planning, Governance, Assessment & Turnaround ============================= On Wed, Feb 9, 2011 at 3:04 AM, Antony Van Couvering <avc@namesatwork.com>wrote:
Hi Patrick,
Thanks for asking.
I think that ultimately the web is for the benefit of the people who use it. So is DNSSEC. I am uncomfortable with the idea of not telling people what's going on (giving them a message) because they might do the "wrong" thing. I think there has to be a very compelling reason to withhold information from users, and the "users are stupid" argument is not a good one in my opinion.
I hope that helps,
Antony
On Feb 8, 2011, at 11:20 PM, Patrick Vande Walle wrote:
Good morning to all,
This is your SSAC liaison speaking. I am requesting your thoughts on what expected impact DNSSEC will have on end users. My goal is to contribute ideas to the the agenda of the DNSSEC sessions at the San Francisco meeting.
Currently, with DNSSEC enabled on the DNS resolver you use (typically, the one assigned to you by your ISP), a domain name failing DNSSEC resolution returns a code to your browser saying the domain does not exist. You would get a blank page displayed in your browser saying the domain is unreachable, similar to what you get when you type an invalid domain name in the browser bar.
Some suggest that browsers should return a warning instead, similar to the one you get with an invalid SSL certificate. The counter-argument to this is that most users tend to ignore these warnings anyway and just click OK to go ahead. Further, some say that ISP support desks will get lots of calls from customers complaining about "the Internet is not working" if users are annoyed by pop-up messages, for what appears to be legitimate domain names.
Obviously, I do not claim that the Internet is just the web. But is is right now the most visible part and the one which requires direct interaction from the user.
I am interested in your thoughts about this.
Patrick Vande Walle
-- Blog: http://patrick.vande-walle.eu Twitter: http://twitter.vande-walle.eu
_______________________________________________ At-Large mailing list At-Large@atlarge-lists.icann.org https://atlarge-lists.icann.org/mailman/listinfo/at-large
At-Large Official Site: http://atlarge.icann.org
_______________________________________________ At-Large mailing list At-Large@atlarge-lists.icann.org https://atlarge-lists.icann.org/mailman/listinfo/at-large
At-Large Official Site: http://atlarge.icann.org
Dear Patrick: I am convinced that the Internet must be "clear and transparent. " I think of the thousands who daily enter first Internet Messages must be simple and without technical words that interrupt the communication between the person who issued the idea and the recipient. The blank page does not tell anything to the users, I did not choose this idea. The page in "red" (invalid SSL certificate), they manage to scare users and makes them leave the site without enterarce of what happens. This is also not properly informed to the user. I think this can be solved by the simple choice of words in a short paragraph with clear backgrounds so as not to scare users and can be understood by a 7 year old who can already read. Regards *Sergio Salinas Porto Presidente Internauta Argentina Asociación Argentina de Usuarios de Internet <http://www.internauta.org.ar>FLUI- Federación Latinoamericana de Usuarios de Internet <http://www.fuilain.org>LACRALO - ALAC Member facebook:salinasporto twitter:sergiosalinas MSN/MSN YAHOO/Talk: salinasporto... Skype:internautaargentina Mobi:+54 9 223 5 215819 * El 09/02/2011 04:20 a.m., Patrick Vande Walle escribió:
Good morning to all,
This is your SSAC liaison speaking. I am requesting your thoughts on what expected impact DNSSEC will have on end users. My goal is to contribute ideas to the the agenda of the DNSSEC sessions at the San Francisco meeting.
Currently, with DNSSEC enabled on the DNS resolver you use (typically, the one assigned to you by your ISP), a domain name failing DNSSEC resolution returns a code to your browser saying the domain does not exist. You would get a blank page displayed in your browser saying the domain is unreachable, similar to what you get when you type an invalid domain name in the browser bar.
Some suggest that browsers should return a warning instead, similar to the one you get with an invalid SSL certificate. The counter-argument to this is that most users tend to ignore these warnings anyway and just click OK to go ahead. Further, some say that ISP support desks will get lots of calls from customers complaining about "the Internet is not working" if users are annoyed by pop-up messages, for what appears to be legitimate domain names.
Obviously, I do not claim that the Internet is just the web. But is is right now the most visible part and the one which requires direct interaction from the user.
I am interested in your thoughts about this.
Patrick Vande Walle
++1 Carlton ============================== Carlton A Samuels Mobile: 876-818-1799 Strategy, Planning, Governance, Assessment & Turnaround ============================= On Wed, Feb 9, 2011 at 7:06 AM, presidencia Internauta Argentina < presidencia@internauta.org.ar> wrote:
Dear Patrick: I am convinced that the Internet must be "clear and transparent. " I think of the thousands who daily enter first Internet Messages must be simple and without technical words that interrupt the communication between the person who issued the idea and the recipient. The blank page does not tell anything to the users, I did not choose this idea. The page in "red" (invalid SSL certificate), they manage to scare users and makes them leave the site without enterarce of what happens. This is also not properly informed to the user. I think this can be solved by the simple choice of words in a short paragraph with clear backgrounds so as not to scare users and can be understood by a 7 year old who can already read. Regards
*Sergio Salinas Porto Presidente Internauta Argentina Asociación Argentina de Usuarios de Internet <http://www.internauta.org.ar>FLUI- Federación Latinoamericana de Usuarios de Internet <http://www.fuilain.org>LACRALO - ALAC Member facebook:salinasporto twitter:sergiosalinas MSN/MSN YAHOO/Talk: salinasporto... Skype:internautaargentina Mobi:+54 9 223 5 215819 *
El 09/02/2011 04:20 a.m., Patrick Vande Walle escribió:
Good morning to all,
This is your SSAC liaison speaking. I am requesting your thoughts on what expected impact DNSSEC will have on end users. My goal is to contribute ideas to the the agenda of the DNSSEC sessions at the San Francisco meeting.
Currently, with DNSSEC enabled on the DNS resolver you use (typically, the one assigned to you by your ISP), a domain name failing DNSSEC resolution returns a code to your browser saying the domain does not exist. You would get a blank page displayed in your browser saying the domain is unreachable, similar to what you get when you type an invalid domain name in the browser bar.
Some suggest that browsers should return a warning instead, similar to the one you get with an invalid SSL certificate. The counter-argument to this is that most users tend to ignore these warnings anyway and just click OK to go ahead. Further, some say that ISP support desks will get lots of calls from customers complaining about "the Internet is not working" if users are annoyed by pop-up messages, for what appears to be legitimate domain names.
Obviously, I do not claim that the Internet is just the web. But is is right now the most visible part and the one which requires direct interaction from the user.
I am interested in your thoughts about this.
Patrick Vande Walle
_______________________________________________ At-Large mailing list At-Large@atlarge-lists.icann.org https://atlarge-lists.icann.org/mailman/listinfo/at-large
At-Large Official Site: http://atlarge.icann.org
* Patrick Vande Walle wrote:
Currently, with DNSSEC enabled on the DNS resolver you use (typically, the one assigned to you by your ISP), a domain name failing DNSSEC resolution returns a code to your browser saying the domain does not exist
Currently almost all ISP's validating resolvers will return the "invalid" data without the AD bit set. So the widly used plugins for Firefox and MSIE will report an warning in the address line. I do expext this way to become the default resolution policy. If you need the validation, you will rely on the AD bit or use the newer API (val_get...) to provider much better error messages to the user.
On Wed, 9 Feb 2011 14:01:37 +0000 (UTC), Lutz Donnerhacke wrote:
Currently almost all ISP's validating resolvers will return the "invalid"
data without the AD bit set. So the widly used plugins for Firefox and MSIE will report an warning in the address line.
I do expext this way to become the default resolution policy. If you need
the validation, you will rely on the AD bit or use the newer API
(val_get...) to provider much better error messages to the user. Thanks Lutz. For anyone interested, here is the link to the nic.cz plugin for Firefox http://www.dnssec-validator.cz The INternet Explorer version is at: http://cs.mty.itesm.mx/dnssecmx/index.php/executable Of course this will only work if your ISP has enabled DNSSEC on its resolvers, or if you are running your own. One suggestion was to invite Mozilla/Opera/IE/Chrome and Safari developers to speak about their project related to DNSSEC, if any. I am not sure this suggestion will go through. It would make sense, IMHO. Cupertino and Mountain View are in the neighbourhood of San Francisco after all. Patrick
I tend to agree with the idea that come back with a warning is dangerous since the users really ignore such alerts. To come blank is the best way. The user will give up after some tentative. Vanda Scartezini Polo Consultores Associados IT Trend Alameda Santos 1470 1407,8 01418-903 São Paulo,SP, Brasil Tel + 5511 3266.6253 Mob + 55118181.1464 -----Mensagem original----- De: at-large-bounces@atlarge-lists.icann.org [mailto:at-large-bounces@atlarge-lists.icann.org] Em nome de Patrick Vande Walle Enviada em: quarta-feira, 9 de fevereiro de 2011 05:20 Para: At-Large Worldwide Assunto: [At-Large] DNSSEC and end users Good morning to all, This is your SSAC liaison speaking. I am requesting your thoughts on what expected impact DNSSEC will have on end users. My goal is to contribute ideas to the the agenda of the DNSSEC sessions at the San Francisco meeting. Currently, with DNSSEC enabled on the DNS resolver you use (typically, the one assigned to you by your ISP), a domain name failing DNSSEC resolution returns a code to your browser saying the domain does not exist. You would get a blank page displayed in your browser saying the domain is unreachable, similar to what you get when you type an invalid domain name in the browser bar. Some suggest that browsers should return a warning instead, similar to the one you get with an invalid SSL certificate. The counter-argument to this is that most users tend to ignore these warnings anyway and just click OK to go ahead. Further, some say that ISP support desks will get lots of calls from customers complaining about "the Internet is not working" if users are annoyed by pop-up messages, for what appears to be legitimate domain names. Obviously, I do not claim that the Internet is just the web. But is is right now the most visible part and the one which requires direct interaction from the user. I am interested in your thoughts about this. Patrick Vande Walle -- Blog: http://patrick.vande-walle.eu Twitter: http://twitter.vande-walle.eu _______________________________________________ At-Large mailing list At-Large@atlarge-lists.icann.org https://atlarge-lists.icann.org/mailman/listinfo/at-large At-Large Official Site: http://atlarge.icann.org
participants (6)
-
Antony Van Couvering -
Carlton Samuels -
Lutz Donnerhacke -
Patrick Vande Walle -
presidencia Internauta Argentina -
Vanda UOL